How to spot a fake, spoof or phishing email

What makes it so easy to fall prey to phishing emails is that they look perfectly legitimate–official-looking emails from reputable companies getting in touch for seemingly reasonable purposes. It could be Apple, PayPal, or your bank. No matter how shrewd you are, it only takes one moment to let your guard is down and become a victim. A phishing email will typically focus on the giving and verification of information. But how do you recognize the difference between a genuine email and a spoof?

Best practice tips to avoid phishing scams:

Email is not encrypted by default. For that reason, it would be extremely rare and irresponsible for a reputable company to ask for private information–passwords, credit card numbers, etc. A real company might alert you using an email, but it would never disclose personal details or ask for them in return over email. It’s highly unlikely that a bank or any other official body will ask you for passwords or personal info.

Don’t trust display names. A display name is the reader-friendly title of a person or company that appears in your inbox. Check the actual email address first. If you don’t like the look of it, don’t open it. Many inboxes will only reveal a display name and nothing else, so always check the email address thoroughly.

In the email address, look for fake domains. The domain is whatever comes after the ‘@’ symbol in the email address. A scammer’s address will have a slight deviation in spelling from the real one – it could be something as simple as a hyphen or a different letter. For instance, a phishing email from PayPal could come from support@pay-pal.com instead of support@paypal.com.

Look for a logo. Counterfeits are usually copied from an authentic site but have been altered or appear in low resolution. Check it against the organization you usually deal with; look at their website and compare. Better still, run it against a previous email from past correspondence if you have any. Go on the company website and see if they have any literature about what to look out for. If clients are often targeted by cyber criminals, they may have a knowledge base of advice, guidance, and warning signs.

If you notice anything suspicious about the links in an email, don’t click on them. It sounds abundantly obvious, but sometimes we’re in such a rush we don’t think before we click on a link. Links can lead to websites that will download malware or spyware to your machine, a mock website that tricks you into entering a username and password, or sites filled with malicious advertisements and trackers.

Fake emails are notorious for bad spelling, if you see some obvious spelling mistakes and appalling grammar, then your inner alarm bell should be ringing.

How do they greet you? Phishing emails are usually sent to a huge list of addresses amassed from a number of sources. As a result, they are usually not personable. If they address you vaguely and not by name, or the salutation is overly friendly, then there’s a good chance the email is a scam. Some phishing emails are more targeted however, honing in on a specific people or group of people. This is called “spear phishing”, and it accounts for the vast majority of successful phishing scams, but only a small fraction of the total phishing emails sent every day.

Keep an eye out for language that’s coated in fearful words and a sense of urgency. Nothing that can be handled via email should be so urgent that it needs your immediate attention. If it is, ring your bank or whoever this email is from and ask them.

Remember to check the authenticity of digital signatures provided if your email client is able to do so. A digital signature is a sort of stamp that often appears as an attachment, such as smime.p7 on Mac OSX and iOS email clients. These attachments are verified with a third party to prove the sender is who they say they are. If the digital signature cannot be verified, you should see some sort of alert. Tread carefully.

Whatever you do, don’t click on attachments. Phishing emails typically use social engineering–a type of psychology used to manipulate people’s behavior–to trick victims into voluntarily giving up information. Attachments, however, often contain viruses, spyware, trojans, and malware. Once installed on a victim’s device, they can spy on the user’s activity or hijack the device.

Phishing examples

A recent example of this type of scam occurred when cybercriminals used the identity of the Irish Government to target PayPal users. They used a fake government address–no.reply@gov.ie, for instance. The emails snuck past spam filters and landed in people’s inboxes instead, giving them an impression of authenticity. A dramatic message stated the receiver’s account would be limited. Victims were ordered to contact PayPal immediately in order to restore their accounts account. Of course a dodgy link was given in order to do so rather than a genuine phone number.

Another example of a phishing email comes from an imitation Royal Bank of Scotland asking for verification of account details in order to update security information.

HMRC has its own handout on examples of phishing emails, showing just how prevalent it is for its customers. The handout includes an exhaustive list of potential fake email address to look out for.

It’s good to be skeptical

It’s important to remain skeptical at all times. If in doubt, ring the supposed senders of the email and ask them to confirm whether it was them who sent it. Make sure you use the phone number on the official website, not one given in the email. As well as being skeptical, remain vigilant and check the details. Here’s a quick recap of what to look out for:

Check the subject header – Spelling mistakes, a sense of urgency and fear

If you stay vigilant at all times, hopefully you won’t fall prey to a phishing email. Most webmail clients include free and automatic virus scans for attachments, but you should still invest in good antivirus software.

Forewarned is to be forearmed, and we hope we’ve given you enough information to fend off those phishing emails for the foreseeable future.